225 lines
10 KiB
Bash
225 lines
10 KiB
Bash
#!/bin/sh
|
|
set -eu
|
|
export LC_ALL=C.UTF-8
|
|
export SOURCE_DATE_EPOCH={{ SOURCE_DATE_EPOCH }}
|
|
|
|
echo "SOURCE_DATE_EPOCH=$SOURCE_DATE_EPOCH"
|
|
|
|
# we create the apt user ourselves or otherwise its uid/gid will differ
|
|
# compared to the one chosen in debootstrap because of different installation
|
|
# order in comparison to the systemd users
|
|
# https://bugs.debian.org/969631
|
|
# we cannot use useradd because passwd is not Essential:yes
|
|
#
|
|
# with cron 3.0pl1-142 and the introduction of cron-daemon-common, installation
|
|
# order of cron and systemd started to differ between debootstrap and
|
|
# mmdebstrap, resulting in different gid values
|
|
{{ CMD }} --variant={{ VARIANT }} --mode={{ MODE }} \
|
|
--essential-hook='if [ {{ VARIANT }} = - ]; then echo _apt:*:100:65534::/nonexistent:/usr/sbin/nologin >> "$1"/etc/passwd; fi' \
|
|
--essential-hook='if [ {{ VARIANT }} = - ] && [ {{ DIST }} = unstable -o {{ DIST }} = testing ]; then printf "systemd-journal:x:101:\nsystemd-network:x:102:\nsystemd-resolve:x:103:\ncrontab:x:104:" >> "$1"/etc/group; fi' \
|
|
$(case {{ DIST }} in oldstable|stable) : ;; *) echo --hook-dir=./hooks/merged-usr ;; esac) \
|
|
{{ DIST }} /tmp/debian-{{ DIST }}-mm.tar {{ MIRROR }}
|
|
|
|
mkdir /tmp/debian-{{ DIST }}-mm
|
|
tar --xattrs --xattrs-include='*' -C /tmp/debian-{{ DIST }}-mm -xf /tmp/debian-{{ DIST }}-mm.tar
|
|
rm /tmp/debian-{{ DIST }}-mm.tar
|
|
|
|
mkdir /tmp/debian-{{ DIST }}-debootstrap
|
|
tar --xattrs --xattrs-include='*' -C /tmp/debian-{{ DIST }}-debootstrap -xf "cache/debian-{{ DIST }}-{{ VARIANT }}.tar"
|
|
|
|
# diff cannot compare device nodes, so we use tar to do that for us and then
|
|
# delete the directory
|
|
tar -C /tmp/debian-{{ DIST }}-debootstrap -cf dev1.tar ./dev
|
|
tar -C /tmp/debian-{{ DIST }}-mm -cf dev2.tar ./dev
|
|
ret=0
|
|
cmp dev1.tar dev2.tar || ret=$?
|
|
if [ "$ret" -ne 0 ]; then
|
|
if type diffoscope >/dev/null; then
|
|
diffoscope dev1.tar dev2.tar
|
|
exit 1
|
|
else
|
|
echo "no diffoscope installed" >&2
|
|
fi
|
|
if type base64 >/dev/null; then
|
|
base64 dev1.tar
|
|
base64 dev2.tar
|
|
exit 1
|
|
else
|
|
echo "no base64 installed" >&2
|
|
fi
|
|
if type xxd >/dev/null; then
|
|
xxd dev1.tar
|
|
xxd dev2.tar
|
|
exit 1
|
|
else
|
|
echo "no xxd installed" >&2
|
|
fi
|
|
exit 1
|
|
fi
|
|
rm dev1.tar dev2.tar
|
|
rm -r /tmp/debian-{{ DIST }}-debootstrap/dev /tmp/debian-{{ DIST }}-mm/dev
|
|
|
|
# remove downloaded deb packages
|
|
rm /tmp/debian-{{ DIST }}-debootstrap/var/cache/apt/archives/*.deb
|
|
# remove aux-cache
|
|
rm /tmp/debian-{{ DIST }}-debootstrap/var/cache/ldconfig/aux-cache
|
|
# remove logs
|
|
rm /tmp/debian-{{ DIST }}-debootstrap/var/log/dpkg.log \
|
|
/tmp/debian-{{ DIST }}-debootstrap/var/log/bootstrap.log \
|
|
/tmp/debian-{{ DIST }}-debootstrap/var/log/alternatives.log
|
|
# remove *-old files
|
|
rm /tmp/debian-{{ DIST }}-debootstrap/var/cache/debconf/config.dat-old \
|
|
/tmp/debian-{{ DIST }}-mm/var/cache/debconf/config.dat-old
|
|
rm /tmp/debian-{{ DIST }}-debootstrap/var/cache/debconf/templates.dat-old \
|
|
/tmp/debian-{{ DIST }}-mm/var/cache/debconf/templates.dat-old
|
|
rm /tmp/debian-{{ DIST }}-debootstrap/var/lib/dpkg/status-old \
|
|
/tmp/debian-{{ DIST }}-mm/var/lib/dpkg/status-old
|
|
# remove dpkg files
|
|
rm /tmp/debian-{{ DIST }}-debootstrap/var/lib/dpkg/available
|
|
rm /tmp/debian-{{ DIST }}-debootstrap/var/lib/dpkg/cmethopt
|
|
# since we installed packages directly from the .deb files, Priorities differ
|
|
# thus we first check for equality and then remove the files
|
|
chroot /tmp/debian-{{ DIST }}-debootstrap dpkg --list > dpkg1
|
|
chroot /tmp/debian-{{ DIST }}-mm dpkg --list > dpkg2
|
|
diff -u dpkg1 dpkg2
|
|
rm dpkg1 dpkg2
|
|
grep -v '^Priority: ' /tmp/debian-{{ DIST }}-debootstrap/var/lib/dpkg/status > status1
|
|
grep -v '^Priority: ' /tmp/debian-{{ DIST }}-mm/var/lib/dpkg/status > status2
|
|
diff -u status1 status2
|
|
rm status1 status2
|
|
rm /tmp/debian-{{ DIST }}-debootstrap/var/lib/dpkg/status /tmp/debian-{{ DIST }}-mm/var/lib/dpkg/status
|
|
# debootstrap exposes the hosts's kernel version
|
|
if [ -e /tmp/debian-{{ DIST }}-debootstrap/etc/apt/apt.conf.d/01autoremove-kernels ]; then
|
|
rm /tmp/debian-{{ DIST }}-debootstrap/etc/apt/apt.conf.d/01autoremove-kernels
|
|
fi
|
|
if [ -e /tmp/debian-{{ DIST }}-mm/etc/apt/apt.conf.d/01autoremove-kernels ]; then
|
|
rm /tmp/debian-{{ DIST }}-mm/etc/apt/apt.conf.d/01autoremove-kernels
|
|
fi
|
|
# who creates /run/mount?
|
|
if [ -e "/tmp/debian-{{ DIST }}-debootstrap/run/mount/utab" ]; then
|
|
rm "/tmp/debian-{{ DIST }}-debootstrap/run/mount/utab"
|
|
fi
|
|
if [ -e "/tmp/debian-{{ DIST }}-debootstrap/run/mount" ]; then
|
|
rmdir "/tmp/debian-{{ DIST }}-debootstrap/run/mount"
|
|
fi
|
|
# debootstrap doesn't clean apt
|
|
rm /tmp/debian-{{ DIST }}-debootstrap/var/lib/apt/lists/127.0.0.1_debian_dists_{{ DIST }}_main_binary-{{ HOSTARCH }}_Packages \
|
|
/tmp/debian-{{ DIST }}-debootstrap/var/lib/apt/lists/127.0.0.1_debian_dists_{{ DIST }}_Release \
|
|
/tmp/debian-{{ DIST }}-debootstrap/var/lib/apt/lists/127.0.0.1_debian_dists_{{ DIST }}_Release.gpg
|
|
|
|
if [ "{{ VARIANT }}" = "-" ]; then
|
|
rm /tmp/debian-{{ DIST }}-debootstrap/etc/machine-id
|
|
rm /tmp/debian-{{ DIST }}-mm/etc/machine-id
|
|
rm /tmp/debian-{{ DIST }}-debootstrap/var/lib/systemd/catalog/database
|
|
rm /tmp/debian-{{ DIST }}-mm/var/lib/systemd/catalog/database
|
|
|
|
cap=$(chroot /tmp/debian-{{ DIST }}-debootstrap /sbin/getcap /bin/ping)
|
|
expected="/bin/ping cap_net_raw=ep"
|
|
if [ "{{ DIST }}" = oldstable ]; then
|
|
expected="/bin/ping = cap_net_raw+ep"
|
|
fi
|
|
if [ "$cap" != "$expected" ]; then
|
|
echo "expected bin/ping to have capabilities $expected" >&2
|
|
echo "but debootstrap produced: $cap" >&2
|
|
exit 1
|
|
fi
|
|
cap=$(chroot /tmp/debian-{{ DIST }}-mm /sbin/getcap /bin/ping)
|
|
if [ "$cap" != "$expected" ]; then
|
|
echo "expected bin/ping to have capabilities $expected" >&2
|
|
echo "but mmdebstrap produced: $cap" >&2
|
|
exit 1
|
|
fi
|
|
fi
|
|
rm /tmp/debian-{{ DIST }}-mm/var/cache/apt/archives/lock
|
|
rm /tmp/debian-{{ DIST }}-mm/var/lib/apt/extended_states
|
|
rm /tmp/debian-{{ DIST }}-mm/var/lib/apt/lists/lock
|
|
|
|
# the list of shells might be sorted wrongly
|
|
# /var/lib/dpkg/triggers/File might be sorted wrongly
|
|
for f in "/var/lib/dpkg/triggers/File" "/etc/shells"; do
|
|
f1="/tmp/debian-{{ DIST }}-debootstrap/$f"
|
|
f2="/tmp/debian-{{ DIST }}-mm/$f"
|
|
# both chroots must have the file
|
|
if [ ! -e "$f1" ] || [ ! -e "$f2" ]; then
|
|
continue
|
|
fi
|
|
# the file must be different
|
|
if cmp "$f1" "$f2"; then
|
|
continue
|
|
fi
|
|
# then sort both
|
|
sort -o "$f1" "$f1"
|
|
sort -o "$f2" "$f2"
|
|
done
|
|
|
|
# Because of unreproducible uids (#969631) we created the _apt user ourselves
|
|
# and because passwd is not Essential:yes we didn't use useradd. But newer
|
|
# versions of adduser and shadow will create a different /etc/shadow
|
|
for f in shadow shadow-; do
|
|
if grep -q '^_apt:!:' /tmp/debian-{{ DIST }}-debootstrap/etc/$f; then
|
|
sed -i 's/^_apt:\*:\([^:]\+\):0:99999:7:::$/_apt:!:\1::::::/' /tmp/debian-{{ DIST }}-mm/etc/$f
|
|
fi
|
|
done
|
|
# same as above but for cron and systemd groups
|
|
for f in gshadow gshadow-; do
|
|
for group in systemd-journal systemd-network systemd-resolve crontab; do
|
|
if grep -q '^'"$group"':!:' /tmp/debian-{{ DIST }}-debootstrap/etc/$f; then
|
|
sed -i 's/^'"$group"':x::/'"$group"':!::/' /tmp/debian-{{ DIST }}-mm/etc/$f
|
|
fi
|
|
done
|
|
done
|
|
|
|
# workaround for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917773
|
|
if ! cmp /tmp/debian-{{ DIST }}-debootstrap/etc/shadow /tmp/debian-{{ DIST }}-mm/etc/shadow; then
|
|
echo patching /etc/shadow on {{ DIST }} {{ VARIANT }} >&2
|
|
awk -v FS=: -v OFS=: -v SDE={{ SOURCE_DATE_EPOCH }} '{ print $1,$2,int(SDE/60/60/24),$4,$5,$6,$7,$8,$9 }' < /tmp/debian-{{ DIST }}-mm/etc/shadow > /tmp/debian-{{ DIST }}-mm/etc/shadow.bak
|
|
cat /tmp/debian-{{ DIST }}-mm/etc/shadow.bak > /tmp/debian-{{ DIST }}-mm/etc/shadow
|
|
rm /tmp/debian-{{ DIST }}-mm/etc/shadow.bak
|
|
else
|
|
echo no difference for /etc/shadow on {{ DIST }} {{ VARIANT }} >&2
|
|
fi
|
|
if ! cmp /tmp/debian-{{ DIST }}-debootstrap/etc/shadow- /tmp/debian-{{ DIST }}-mm/etc/shadow-; then
|
|
echo patching /etc/shadow- on {{ DIST }} {{ VARIANT }} >&2
|
|
awk -v FS=: -v OFS=: -v SDE={{ SOURCE_DATE_EPOCH }} '{ print $1,$2,int(SDE/60/60/24),$4,$5,$6,$7,$8,$9 }' < /tmp/debian-{{ DIST }}-mm/etc/shadow- > /tmp/debian-{{ DIST }}-mm/etc/shadow-.bak
|
|
cat /tmp/debian-{{ DIST }}-mm/etc/shadow-.bak > /tmp/debian-{{ DIST }}-mm/etc/shadow-
|
|
rm /tmp/debian-{{ DIST }}-mm/etc/shadow-.bak
|
|
else
|
|
echo no difference for /etc/shadow- on {{ DIST }} {{ VARIANT }} >&2
|
|
fi
|
|
|
|
# Because of unreproducible uids (#969631) we created the _apt user ourselves
|
|
# and because passwd is not Essential:yes we didn't use useradd. But passwd
|
|
# since 1:4.11.1+dfsg1-1 will create empty mail files, so we create it too.
|
|
# https://bugs.debian.org/1004710
|
|
if [ {{ VARIANT }} = - ]; then
|
|
if [ -e /tmp/debian-{{ DIST }}-debootstrap/var/mail/_apt ]; then
|
|
touch /tmp/debian-{{ DIST }}-mm/var/mail/_apt
|
|
chmod 660 /tmp/debian-{{ DIST }}-mm/var/mail/_apt
|
|
chown 100:8 /tmp/debian-{{ DIST }}-mm/var/mail/_apt
|
|
fi
|
|
fi
|
|
|
|
# check if the file content differs
|
|
diff --unified --no-dereference --recursive /tmp/debian-{{ DIST }}-debootstrap /tmp/debian-{{ DIST }}-mm >&2
|
|
|
|
# check permissions, ownership, symlink targets, modification times using tar
|
|
# directory mtimes will differ, thus we equalize them first
|
|
find /tmp/debian-{{ DIST }}-debootstrap /tmp/debian-{{ DIST }}-mm -type d -print0 | xargs -0 touch --date="@{{ SOURCE_DATE_EPOCH }}"
|
|
# debootstrap never ran apt -- fixing permissions
|
|
for d in ./var/lib/apt/lists/partial ./var/cache/apt/archives/partial; do
|
|
chroot /tmp/debian-{{ DIST }}-debootstrap chmod 0700 $d
|
|
chroot /tmp/debian-{{ DIST }}-debootstrap chown _apt:root $d
|
|
done
|
|
tar -C /tmp/debian-{{ DIST }}-debootstrap --numeric-owner --sort=name --clamp-mtime --mtime=$(date --utc --date=@{{ SOURCE_DATE_EPOCH }} --iso-8601=seconds) -cf /tmp/root1.tar .
|
|
tar -C /tmp/debian-{{ DIST }}-mm --numeric-owner --sort=name --clamp-mtime --mtime=$(date --utc --date=@{{ SOURCE_DATE_EPOCH }} --iso-8601=seconds) -cf /tmp/root2.tar .
|
|
tar --full-time --verbose -tf /tmp/root1.tar > /tmp/root1.tar.list
|
|
tar --full-time --verbose -tf /tmp/root2.tar > /tmp/root2.tar.list
|
|
diff -u /tmp/root1.tar.list /tmp/root2.tar.list
|
|
rm /tmp/root1.tar /tmp/root2.tar /tmp/root1.tar.list /tmp/root2.tar.list
|
|
|
|
# check if file properties (permissions, ownership, symlink names, modification time) differ
|
|
#
|
|
# we cannot use this (yet) because it cannot cope with paths that have [ or @ in them
|
|
#fmtree -c -p /tmp/debian-{{ DIST }}-debootstrap -k flags,gid,link,mode,size,time,uid | sudo fmtree -p /tmp/debian-{{ DIST }}-mm
|
|
|
|
rm -r /tmp/debian-{{ DIST }}-debootstrap /tmp/debian-{{ DIST }}-mm
|